Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
8/27/2015
09:05 AM
Gavin Millard
Gavin Millard
Partner Perspectives
50%
50%

Flash: Web Browser Plugins Are Vulnerable

Maybe it's time to uninstall Flash for those that don't need it and continuously monitor those that do.

Adobe Flash has been in the press a lot recently after zero day vulnerabilities were disclosed. Facebook's CISO is calling for an end of life date, and Brian Krebs, the well-known infosec journalist (along with many others), is calling for everyone to uninstall the software. Flash has had major vulnerabilities in the past; everyone is used to seeing the almost daily popup from Adobe requesting an install of the latest version, so why all the sudden momentum?

When the treasure trove of information from the Hacking Team breach was reviewed by eagle-eyed researchers, they discovered that the security company of choice for dictatorships had three previously undisclosed and unpatched vulnerabilities they’d be leveraging to infect targets. The vulnerabilities were bad; in fact the Hacking Team described one as, “the most beautiful Flash bug for the last four years.” The 400GB data dump also included handy, proof of concept code that was quickly rolled into the Angler and Neutrino exploit kits before Adobe even had a chance to release an updated version of Flash to fix the “beautiful bug.”

The first stage of an attack is often the initial foothold, getting a malicious virtual foot in the door. For a targeted attack, this foothold is frequently established by phishing or social engineering, persuading a hapless employee to give up credentials, click on a link, plug in a dodgy USB device, or download and run malicious code. If we look at the famous RSA breach of a few years ago, the initial intrusion was allegedly via an email containing a spreadsheet of salaries; the desire for employees to get a glimpse of their peers’ earnings was tempting enough for them to ignore all the training they’d had from the security team.

Manipulation of “Layer 8” insecurities is a frequently leveraged approach to breaking in, but why go to that effort when easily exploitable and unpatched browser or plugin vulnerabilities are running on millions of laptops? Cybercriminals will often take the easy path to infection, targeting the low hanging fruit with off-the-shelf malware, rather than create bespoke, complex and targeted code. We hear so much about Advanced Persistent Threats, but for the majority of users, intrusions are more likely to come from leveraging a known, and easily exploitable, vulnerability.

Uninstall Flash Unless It Is Required

If there are no fixes available or the patch rate is greater than a few days to deploy the ones that are, what can be done to protect users from this increasing threat vector? Uninstalling vulnerable software is a viable option, but many still require it for their day-to-day work to use business critical systems, and for playing browser games. Disabling Flash or “Click-to-Play” is another option, but users can easily be manipulated into running the Flash player. Anti-malware solutions offer some protection, but even if they are deployed and up to date, they are often behind the curve of detecting the latest obfuscation techniques utilized by the exploit kit authors. If you can’t prevent, you need to detect. 

Utilize Strong Detective Controls On Systems Where Flash Is Required

The ability to detect indicators of compromise --  unexpected autoruns, malicious known code missed by AV software, connections to Command and Control servers often utilized by attackers -- have increased by leaps and bounds in the last few years and should be considered in any defense in-depth strategy. Deploying robust detective controls utilizing these approaches alongside traditional preventive and corrective controls should help decrease the risk of unknown or unpatched client side vulnerabilities being used as the initial foothold many fear.

One major concern surrounding the use of detective controls is the false positive issue causing security analysts to drown under the weight of alerts from the different threat intelligence feeds and logs. This is where context is critical. One approach for focusing on the risky rather than the risk-free, is to identify systems that are using known browser plugins targeted by malware authors, or out of date browsers that are easily attacked, and then to leverage this context for elevating alerts of possible indicators of compromise on those affected systems.

Visibility is another concern. What about all those remote workers who are now a favored target because they are less protected than their counterparts in corporate headquarters? Agents installed on their devices can collect vulnerability information, software inventory, configuration issues and the indicators of compromise. Agents should always be considered in a rigorous detective control program, and the collected data should be sent back to corporate for correlation and prioritization.

Since Steve Jobs made the controversial decision to keep Flash off Apple’s shiny iOS devices, many mainstream websites have made the move to HTML5 or alternate technologies to support the millions of devoted fans of all things “i.” Maybe it’s time to uninstall Flash for those that don’t need it and continuously monitor for indicators of compromise for those that do.

Gavin Millard is a trained, ethical hacker who works with medium and large enterprises to address their cybersecurity challenges. With a deep understanding of how attackers plot a breach, he helps bring these companies to a trusted state of IT infrastructure. He previously ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sdecatur328
100%
0%
sdecatur328,
User Rank: Apprentice
8/27/2015 | 9:46:30 AM
Oxymorons
Funny how a website article about the vulnerability of Flash, wants you to run the add-on Adobe Flash Player from Adobe Systems Incorporated...
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-35210
PUBLISHED: 2021-06-23
Contao 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5, allows XSS. It is possible to inject code into the tl_log table that will be executed in the browser when the system log is called in the back end.
CVE-2021-27649
PUBLISHED: 2021-06-23
Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
CVE-2021-29084
PUBLISHED: 2021-06-23
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
CVE-2021-29085
PUBLISHED: 2021-06-23
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
CVE-2021-29086
PUBLISHED: 2021-06-23
Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors.